/src/postgres/src/backend/utils/misc/stack_depth.c
Line | Count | Source |
1 | | /*------------------------------------------------------------------------- |
2 | | * |
3 | | * stack_depth.c |
4 | | * Functions for monitoring and limiting process stack depth |
5 | | * |
6 | | * Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group |
7 | | * Portions Copyright (c) 1994, Regents of the University of California |
8 | | * |
9 | | * |
10 | | * IDENTIFICATION |
11 | | * src/backend/utils/misc/stack_depth.c |
12 | | * |
13 | | *------------------------------------------------------------------------- |
14 | | */ |
15 | | |
16 | | #include "postgres.h" |
17 | | |
18 | | #include <limits.h> |
19 | | #include <sys/resource.h> |
20 | | |
21 | | #include "miscadmin.h" |
22 | | #include "utils/guc_hooks.h" |
23 | | |
24 | | |
25 | | /* GUC variable for maximum stack depth (measured in kilobytes) */ |
26 | | int max_stack_depth = 100; |
27 | | |
28 | | /* max_stack_depth converted to bytes for speed of checking */ |
29 | | static ssize_t max_stack_depth_bytes = 100 * (ssize_t) 1024; |
30 | | |
31 | | /* |
32 | | * Stack base pointer -- initialized by set_stack_base(), which |
33 | | * should be called from main(). |
34 | | */ |
35 | | static char *stack_base_ptr = NULL; |
36 | | |
37 | | |
38 | | /* |
39 | | * set_stack_base: set up reference point for stack depth checking |
40 | | * |
41 | | * Returns the old reference point, if any. |
42 | | */ |
43 | | pg_stack_base_t |
44 | | set_stack_base(void) |
45 | 6.48k | { |
46 | | #ifndef HAVE__BUILTIN_FRAME_ADDRESS |
47 | | char stack_base; |
48 | | #endif |
49 | 6.48k | pg_stack_base_t old; |
50 | | |
51 | 6.48k | old = stack_base_ptr; |
52 | | |
53 | | /* |
54 | | * Set up reference point for stack depth checking. On recent gcc we use |
55 | | * __builtin_frame_address() to avoid a warning about storing a local |
56 | | * variable's address in a long-lived variable. |
57 | | */ |
58 | 6.48k | #ifdef HAVE__BUILTIN_FRAME_ADDRESS |
59 | 6.48k | stack_base_ptr = __builtin_frame_address(0); |
60 | | #else |
61 | | stack_base_ptr = &stack_base; |
62 | | #endif |
63 | | |
64 | 6.48k | return old; |
65 | 6.48k | } |
66 | | |
67 | | /* |
68 | | * restore_stack_base: restore reference point for stack depth checking |
69 | | * |
70 | | * This can be used after set_stack_base() to restore the old value. This |
71 | | * is currently only used in PL/Java. When PL/Java calls a backend function |
72 | | * from different thread, the thread's stack is at a different location than |
73 | | * the main thread's stack, so it sets the base pointer before the call, and |
74 | | * restores it afterwards. |
75 | | */ |
76 | | void |
77 | | restore_stack_base(pg_stack_base_t base) |
78 | 0 | { |
79 | 0 | stack_base_ptr = base; |
80 | 0 | } |
81 | | |
82 | | |
83 | | /* |
84 | | * check_stack_depth/stack_is_too_deep: check for excessively deep recursion |
85 | | * |
86 | | * This should be called someplace in any recursive routine that might possibly |
87 | | * recurse deep enough to overflow the stack. Most Unixen treat stack |
88 | | * overflow as an unrecoverable SIGSEGV, so we want to error out ourselves |
89 | | * before hitting the hardware limit. |
90 | | * |
91 | | * check_stack_depth() just throws an error summarily. stack_is_too_deep() |
92 | | * can be used by code that wants to handle the error condition itself. |
93 | | */ |
94 | | void |
95 | | check_stack_depth(void) |
96 | 3.72k | { |
97 | 3.72k | if (stack_is_too_deep()) |
98 | 3 | { |
99 | 3 | ereport(ERROR, |
100 | 3 | (errcode(ERRCODE_STATEMENT_TOO_COMPLEX), |
101 | 3 | errmsg("stack depth limit exceeded"), |
102 | 3 | errhint("Increase the configuration parameter \"max_stack_depth\" (currently %dkB), " |
103 | 3 | "after ensuring the platform's stack depth limit is adequate.", |
104 | 3 | max_stack_depth))); |
105 | 3 | } |
106 | 3.72k | } |
107 | | |
108 | | bool |
109 | | stack_is_too_deep(void) |
110 | 3.72k | { |
111 | 3.72k | char stack_top_loc; |
112 | 3.72k | ssize_t stack_depth; |
113 | | |
114 | | /* |
115 | | * Compute distance from reference point to my local variables |
116 | | */ |
117 | 3.72k | stack_depth = (ssize_t) (stack_base_ptr - &stack_top_loc); |
118 | | |
119 | | /* |
120 | | * Take abs value, since stacks grow up on some machines, down on others |
121 | | */ |
122 | 3.72k | if (stack_depth < 0) |
123 | 0 | stack_depth = -stack_depth; |
124 | | |
125 | | /* |
126 | | * Trouble? |
127 | | * |
128 | | * The test on stack_base_ptr prevents us from erroring out if called |
129 | | * before that's been set. Logically it should be done first, but putting |
130 | | * it last avoids wasting cycles during normal cases. |
131 | | */ |
132 | 3.72k | if (stack_depth > max_stack_depth_bytes && |
133 | 3 | stack_base_ptr != NULL) |
134 | 3 | return true; |
135 | | |
136 | 3.71k | return false; |
137 | 3.72k | } |
138 | | |
139 | | |
140 | | /* GUC check hook for max_stack_depth */ |
141 | | bool |
142 | | check_max_stack_depth(int *newval, void **extra, GucSource source) |
143 | 4 | { |
144 | 4 | ssize_t newval_bytes = *newval * (ssize_t) 1024; |
145 | 4 | ssize_t stack_rlimit = get_stack_depth_rlimit(); |
146 | | |
147 | 4 | if (stack_rlimit > 0 && newval_bytes > stack_rlimit - STACK_DEPTH_SLOP) |
148 | 0 | { |
149 | 0 | GUC_check_errdetail("\"max_stack_depth\" must not exceed %zdkB.", |
150 | 0 | (stack_rlimit - STACK_DEPTH_SLOP) / 1024); |
151 | 0 | GUC_check_errhint("Increase the platform's stack depth limit via \"ulimit -s\" or local equivalent."); |
152 | 0 | return false; |
153 | 0 | } |
154 | 4 | return true; |
155 | 4 | } |
156 | | |
157 | | /* GUC assign hook for max_stack_depth */ |
158 | | void |
159 | | assign_max_stack_depth(int newval, void *extra) |
160 | 4 | { |
161 | 4 | ssize_t newval_bytes = newval * (ssize_t) 1024; |
162 | | |
163 | 4 | max_stack_depth_bytes = newval_bytes; |
164 | 4 | } |
165 | | |
166 | | /* |
167 | | * Obtain platform stack depth limit (in bytes) |
168 | | * |
169 | | * Return -1 if unknown |
170 | | * |
171 | | * Note: we choose to use ssize_t not size_t as the result type because |
172 | | * callers compute values that could theoretically go negative, |
173 | | * such as "result - STACK_DEPTH_SLOP". |
174 | | */ |
175 | | ssize_t |
176 | | get_stack_depth_rlimit(void) |
177 | 6 | { |
178 | 6 | #if defined(HAVE_GETRLIMIT) |
179 | 6 | static ssize_t val = 0; |
180 | | |
181 | | /* This won't change after process launch, so check just once */ |
182 | 6 | if (val == 0) |
183 | 2 | { |
184 | 2 | struct rlimit rlim; |
185 | | |
186 | 2 | if (getrlimit(RLIMIT_STACK, &rlim) < 0) |
187 | 0 | val = -1; |
188 | 2 | else if (rlim.rlim_cur == RLIM_INFINITY) |
189 | 0 | val = SSIZE_MAX; |
190 | | /* rlim_cur is probably of an unsigned type, so check for overflow */ |
191 | 2 | else if (rlim.rlim_cur >= SSIZE_MAX) |
192 | 0 | val = SSIZE_MAX; |
193 | 2 | else |
194 | 2 | val = rlim.rlim_cur; |
195 | 2 | } |
196 | 6 | return val; |
197 | | #else |
198 | | /* On Windows we set the backend stack size in src/backend/Makefile */ |
199 | | return WIN32_STACK_RLIMIT; |
200 | | #endif |
201 | 6 | } |